RE: Cisco IOS Firewall vc Cisco PIX Firewall [7:8200]
Your statement is incorrect. Context Based Access Control (CBAC) has been around since 11.2 on certain Cisco router platforms and does indeed keep state on connections through the router, much like the PIX. i.e. CBAC keeps track of src/dst IP addresses, src/dst port numbers and TCP sequence numbers, it also understands many multi-channel apps like FTP, CUSeeMe, VDOlive, etc and will dynamically open ports as needed for these apps. To the OP question: The main differentiating factors between the PIX and a Cisco with CBAC(i.e. FFS) are: 1) PIX is pre-hardened, no unecessary services. A router must be properly configured to remove all unecessary functions, but then you still cannot selectively remove things from the code itself, just change commands so there is always a chance that some service may still be active on the router. Not so on the PIX. In simple configurations, the PIX is much easier to get working than a similarly configured router, less room for error, easier to manage, etc. 2) PIX code is optimized for NAT/filtering services, theoretically the PIX should be faster than similar router hardware. The high-end PIXes are definitely faster than high-end CBAC routers. Mileage may vary on the lower end PIXes (i.e 506, 515) depending on the router its compared to. 3) PIX has 3rd party integration products to perform things like HTTP and email content checking, not so with the routers. 4) PIX can do stateful failover to a backup PIX, routers cannot. 5) It's easier to sell management on a security design that uses PIX vs a router because all they know is "we need a firewall". ;-) HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Subba Rao Sent: Friday, June 15, 2001 11:20 AM To: [EMAIL PROTECTED] Subject: Re: Cisco IOS Firewall vc Cisco PIX Firewall [7:8200] On 0, Sam wrote: > Does anybody know the major differences between these two firewall > solutions? In this particular situation performance is not an issue. Is a > properly configured router using IOS firewall any less secure than using a > PIX? > > The Cisco PIX firewall performs stateful packet inspection/filtering. Cisco IOS firewall cannot do that. -- Subba Rao [EMAIL PROTECTED] http://members.home.net/subba9/ GPG public key ID 27FC9217 Key fingerprint = 2B4C 498E 1860 5A2B 6570 5852 7527 882A 27FC 9217 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=8841&t=8200 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cisco IOS Firewall vc Cisco PIX Firewall [7:8200]
Ok, then what CBAC is doing and how would you compare CBAC and a Pix ? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Subba Rao Sent: Friday, June 15, 2001 8:20 PM To: [EMAIL PROTECTED] Subject: Re: Cisco IOS Firewall vc Cisco PIX Firewall [7:8200] On 0, Sam wrote: > Does anybody know the major differences between these two firewall > solutions? In this particular situation performance is not an issue. Is a > properly configured router using IOS firewall any less secure than using a > PIX? > > The Cisco PIX firewall performs stateful packet inspection/filtering. Cisco IOS firewall cannot do that. -- Subba Rao [EMAIL PROTECTED] http://members.home.net/subba9/ GPG public key ID 27FC9217 Key fingerprint = 2B4C 498E 1860 5A2B 6570 5852 7527 882A 27FC 9217 _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=8823&t=8200 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Cisco IOS Firewall vc Cisco PIX Firewall [7:8200]
On 0, Sam wrote: > Does anybody know the major differences between these two firewall > solutions? In this particular situation performance is not an issue. Is a > properly configured router using IOS firewall any less secure than using a > PIX? > > The Cisco PIX firewall performs stateful packet inspection/filtering. Cisco IOS firewall cannot do that. -- Subba Rao [EMAIL PROTECTED] http://members.home.net/subba9/ GPG public key ID 27FC9217 Key fingerprint = 2B4C 498E 1860 5A2B 6570 5852 7527 882A 27FC 9217 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=8740&t=8200 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Cisco IOS Firewall vc Cisco PIX Firewall [7:8200]
There are a lot of differences, but I only remember a few specific "nitty gritties" I learned from installs (haven't touched the PIX's in about 6 or 8 months). The PIX (as with most good firewalls) can detect sync packets that have not been sourced from you (FW IOS does not). Meaning a hacker cannot spoof as a continuing TCP session. Also- the PIX is not vulnerable to anything NTP, because network time has been removed with this device. Phil - Original Message - From: Sam To: Sent: Tuesday, June 12, 2001 1:10 PM Subject: Cisco IOS Firewall vc Cisco PIX Firewall [7:8200] > Does anybody know the major differences between these two firewall > solutions? In this particular situation performance is not an issue. Is a > properly configured router using IOS firewall any less secure than using a > PIX? > > Regards, Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=8270&t=8200 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]